refactor

Dockerfile.base

@@ -1,50 +1,240 @@
 ARG PYTHONTAG=3.11.9-slim-bookworm
-FROM docker.io/library/python:${PYTHONTAG} as base-upstream
+FROM docker.io/python:${PYTHONTAG} AS base-upstream
 
-FROM base-upstream as base
+FROM base-upstream AS base
 SHELL [ "/bin/sh", "-ec" ]
 
-COPY /Dockerfile.base /usr/local/share/
+COPY /Dockerfile.base  /usr/local/share/
 
-## - remove duplicate "/usr/local/bin" (fixes upstream image)
-## - remove /sbin and /bin (/usr is merged)
-ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
+COPY /scripts/*        /usr/local/sbin/
+COPY /extra-scripts/*  /usr/local/sbin/
 
-ENV MALLOC_ARENA_MAX=2 \
+## PATH: remove /sbin and /bin (/usr is merged)
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
+    TMPDIR=/tmp \
+    LANG=C.UTF-8 \
+    LC_ALL=C.UTF-8 \
+    TERM=linux \
+    TZ=Etc/UTC \
+    MALLOC_ARENA_MAX=2 \
     PYTHONUNBUFFERED=1 \
     PYTHONDONTWRITEBYTECODE=1
 
-COPY /scripts/* /usr/local/sbin/
+## local development
+# ENV PIP_INDEX="http://127.0.0.1:8081/repository/proxy_pypi/pypi/" \
+#     PIP_INDEX_URL="http://127.0.0.1:8081/repository/proxy_pypi/simple/" \
+#     PIP_TRUSTED_HOST="localhost"
 
-COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources
+COPY /apt/sources.debian  /etc/apt/sources.list.d/debian.sources
+
+## prevent services from auto-starting, part 1
+RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \
+    rm -f "$s" "$b" ; \
+    echo '#!/bin/sh' > "$b" ; \
+    echo 'exit 101' >> "$b" ; \
+    chmod 0755 "$b" ; \
+    ln -s "$b" "$s"
+
+RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \
+    ## prevent services from auto-starting, part 2
+    divert_true /sbin/start-stop-daemon ; \
+    ## always report that we're in chroot
+    divert_true /usr/bin/ischroot ; \
+    ## hide systemd helpers
+    divert_true /usr/bin/deb-systemd-helper ; \
+    divert_true /usr/bin/deb-systemd-invoke
 
 RUN apt-env.sh apt-get update ; \
     apt-env.sh apt-get upgrade -y ; \
-    apt-env.sh dpkg -P \
-      e2fsprogs \
-      libext2fs2 \
-      libss2 \
-      logsave \
-    ; apt-clean.sh
+    apt-clean.sh
 
-RUN pip-env.sh pip list --format freeze \
+## perl-base: hardlink->symlink
+RUN d=/usr/bin ; \
+    find "$d/" -wholename "$d/perl5*" -exec ln -fsv perl {} ';' ; \
+    ls -li "$d/perl"*
+
+## remove unwanted binaries
+RUN set -f ; \
+    for i in \
+      addpart \
+      apt-ftparchive \
+      agetty \
+      badblocks \
+      blkdiscard \
+      blkid \
+      blkzone \
+      blockdev \
+      bsd-write \
+      chage \
+      chcpu \
+      chfn \
+      chgpasswd \
+      chmem \
+      chpasswd \
+      chsh \
+      cpgr \
+      cppw \
+      ctrlaltdel \
+      debugfs \
+      delpart \
+      dmesg \
+      dumpe2fs \
+      e2freefrag \
+      e2fsck \
+      e2image \
+      e2label \
+      e2mmpstatus \
+      e2scrub \
+     'e2scrub*' \
+      e2undo \
+      e4crypt \
+      e4defrag \
+      expiry \
+      faillock \
+      fdformat \
+      fincore \
+      findfs \
+      fsck \
+     'fsck.*' \
+      fsfreeze \
+      fstrim \
+      getty \
+      gpasswd \
+      groupmems \
+      grpck \
+      grpconv \
+      grpunconv \
+      hwclock \
+      isosize \
+      last \
+      lastb \
+      ldattach \
+      losetup \
+      lsblk \
+      lsirq \
+      lslogins \
+      mcookie \
+      mesg \
+      mke2fs \
+      mkfs \
+     'mkfs.*' \
+      mkhomedir_helper \
+      mklost+found \
+      mkswap \
+      mount \
+      newgrp \
+      newusers \
+      pam-auth-update \
+      pam_getenv \
+      pam_namespace_helper \
+      pam_timestamp_check \
+      partx \
+      pivot_root \
+      pwck \
+      pwconv \
+      pwhistory_helper \
+      pwunconv \
+      raw \
+      readprofile \
+      resize2fs \
+      resizepart \
+      rtcwake \
+      sg \
+      shadowconfig \
+      sulogin \
+      swaplabel \
+      swapoff \
+      swapon \
+      switch_root \
+      tune2fs \
+      umount \
+      unix_chkpwd \
+      unix_update \
+      utmpdump \
+      vigr \
+      vipw \
+      wall \
+      wdctl \
+      wipefs \
+      write \
+     'write.*' \
+      zramctl \
+    ; do \
+        for d in /usr/sbin /usr/bin /sbin /bin ; do \
+            find "$d/" ! -type d -wholename "$d/$i" \
+            | while read -r p ; do \
+                [ -n "$p" ] || continue ; \
+                [ -e "$p" ] || continue ; \
+                dpkg -S "$p" >/dev/null 2>&1 || continue ; \
+                divert-rm.sh "$p" ; \
+            done ; \
+        done ; \
+        for d in /usr/sbin /usr/bin /sbin /bin ; do \
+            find "$d/" ! -type d -wholename "$d/$i" \
+            | while read -r p ; do \
+                [ -n "$p" ] || continue ; \
+                [ -e "$p" ] || continue ; \
+                rm -fv "$p" ; \
+            done ; \
+        done ; \
+    done ; \
+    ## fixup
+    rm -f \
+      /bin/lastb \
+      /bin/sg \
+      /sbin/getty \
+    ; :
+
+## remove excessive privileges from binaries
+RUN set -f ; \
+    for i in \
+      passwd \
+      su \
+    ; do \
+        for d in /usr/sbin /usr/bin /sbin /bin ; do \
+            find "$d/" ! -type d -wholename "$d/$i" \
+            | while read -r p ; do \
+                [ -n "$p" ] || continue ; \
+                [ -e "$p" ] || continue ; \
+                dpkg -S "$p" >/dev/null 2>&1 || continue ; \
+                o=$(env stat -c '%U' "$p") ; \
+                g=$(env stat -c '%G' "$p") ; \
+                ls -l "$p" ; \
+                dpkg-statoverride --update --add "$o" "$g" 0755 "$p" ; \
+                ls -l "$p" ; \
+                done ; \
+        done ; \
+    done
+
+RUN apt-remove.sh \
+      ca-certificates \
+      e2fsprogs \
+    ; \
+    apt-clean.sh
+
+## "docker.io/python"-specific cleanup
+RUN rm -f /root/.wget-hsts
+
+RUN python-rm-cache.sh /usr/local ; \
+    pip-env.sh pip list --format freeze \
     | grep -F '==' | awk -F= '{print $1}' \
     | xargs -r pip-env.sh pip install -U ; \
-    pip-clean.sh /usr/local
+    python-rm-cache.sh "${PYTHON_SITE_PACKAGES}"
 
-RUN site_packages=$(python3 -c 'import site;print(site.getsitepackages()[0])') ; \
-    libpython=$(dirname "${site_packages}") ; \
-    rm -rf \
+RUN python-rm-cache.sh /usr/local ; \
+    libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
+    rm -rfv \
+      /usr/local/bin/idle* \
       "${libpython}/ensurepip/_bundled" \
+      "${libpython}/idlelib" \
+      "${libpython}/tkinter" \
+      "${libpython}/turtle.py" \
       "${libpython}/turtledemo" \
-    ; \
-    find "${libpython}/" -maxdepth 1 -type f -name '*.py' -exec python3 -m compileall -q -j 2 {} + ; \
-    find "${libpython}/" -mindepth 1 -maxdepth 1 -type d -printf '%P\0' \
-    | sed -zE '^(__pycache__|site-packages|__phello__|ensurepip|lib2to3|pydoc.*|tkinter|unittest)$/d' \
-    | env -C "${libpython}" xargs -0r python3 -m compileall -q -j 2
+    ; :
 
-RUN rm -f /root/.wget-hsts ; \
-    find /usr/local/sbin/ ! -type d -name '*.sh' -delete
+RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
+    find /run/ -mindepth 1 -ls -delete || : ; \
+    install -d -m 01777 /run/lock
 
 ENTRYPOINT [ ]
 CMD [ "bash" ]